Windows 2003 server Network Security

TheMSsForum.com: The Microsoft Software Forum

I want to lock down my network from PCs for Laptops outside the company.
Basically I do not want anyone to be able to plug in his or her laptop
computer via an RJ45 connection and have any access to resources without
signing in with a valid userid and password. I donâ??t want them to have a
DHCP IP address to surf the Internet unless authorized via their userid and
password.

Where do I start to implement these restrictions?

Thanks
Top

Re: Windows 2003 server Network Security by Shenan

Shenan
Fri Dec 23 15:12:34 CST 2005

Larry Bird wrote:
> I want to lock down my network from PCs for Laptops outside the company.
> Basically I do not want anyone to be able to plug in his or her laptop
> computer via an RJ45 connection and have any access to resources without
> signing in with a valid userid and password. I don't want them to have a
> DHCP IP address to surf the Internet unless authorized via their userid
> and
> password.
>
> Where do I start to implement these restrictions?

Your DHCP server should be configured to give out IPs based off something
you control - or you should not give out DHCP addresses.. One or the other
would be the quickest.

You could look into 802.1x authentication in your AD environment - that is
an option as well - since you mentioned you wanted them to have some sort of
authentication first.

The most effective - by far - however, would be the limiting by MAC
addresses.. A little more management-centric - in that you have to know
every MAC address of every machine that should be able to get an IP from
your DHCP server. Not in that list - then they (for the most part - unless
they are hackers with a purpose) have to come to you to get that MAC address
added to allow them to get a DHCP IP address.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


Top

Re: Windows 2003 server Network Security by Steven

Steven
Fri Dec 23 16:50:37 CST 2005

If you are using managed switches they may have the capability to manage
port access by mac address either from a table of mac addresses that can be
manually configured and from putting the switch in learning mode when you
are sure only authorized devices are connected to the network and many
switches can do 802.1X which requires the computer be authenticated before
the switch port allows access though it also requires compatible operating
systems and a Certificate Authority. Currently there is not way to use Group
Policy to configure "wired" 802.1X like there is for wireless 802.1X.

Another possibility is to implement ipsec in your domain that can be managed
via Group Policy. Computers that have an ipsec require policy will not
communicate with computers that do not have a compatible authentication
method and in a domain by default Kerberos would be used for computer
authentication that would rule out non domain computers. Ipsec is a somewhat
complex topic and special considerations must be made for domain controllers
since they are the KDC but the link below on ipsec domain isolation is a
great start. Possibly something like ISA 2004 as your firewall and using
ipsec could be used to prevent users on non domain computers from accessing
the internet since the computer would need to access the ISA 2004 server to
authenticate the domain user. Otherwise it is very difficult to stop users
from accessing the internet if all they need is access to the default
gateway that can found out rather easily and a user could use static IP
configuration to bypasss restrictions placed on a DHCP scope. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecch1.mspx
http://support.microsoft.com/?kbid=254949 --- important info on domain
ipsec.

"Larry Bird" <LarryBird@discussions.microsoft.com> wrote in message
news:AA0A4EB4-869F-4E84-8D61-2EBB09D1A19A@microsoft.com...
>I want to lock down my network from PCs for Laptops outside the company.
> Basically I do not want anyone to be able to plug in his or her laptop
> computer via an RJ45 connection and have any access to resources without
> signing in with a valid userid and password. I don't want them to have a
> DHCP IP address to surf the Internet unless authorized via their userid
> and
> password.
>
> Where do I start to implement these restrictions?
>
> Thanks
>
>


Top